The study is based on a survey of 1,160,000 Internet addresses. David Litchfield scans IP addresses on TCP port 1433 (SQL Server) and 1521 (Oracle). When the port was open, he made a version check. Only systems that responded to the version check were counted. Nearly half a million Oracle and Microsoft SQL database servers are not even protected by firewalls. Most of them were running an older version of the OS, sometimes a version no longer supported, or worst, they were not patched at all. For instance, 82 percent of Microsoft SQL Server databases were running SQL Server 2000. 54% were not running the most recent update. And 4 percent were unpatched. 13% of Oracle database servers are vulberable to critical flaws, like the one that was exploited by SQL Slammer worm.